Create temporary AWS sessions to use MFA with CLI tools and impersonate accounts.
When enforcing multi-factor authentication on AWS IAM user accounts, sending API calls directly will no longer work. Standard tools and libraries only have limited support for creating temporary sessions.
The official AWS documentation describes commands to create user sessions using the AWS CLI, but these are not automated and require manually copying tokens around, which impairs security.
aws-session is a shell script that asks for a security token and returns
temporary session credentials to be used in the current shell.
The script should be called through source to automatically set these temporary
credentials in the shell environment:
source aws-sessionThis will query the current AWS profile (or the default profile) for a list of MFA devices, pick the first one, then ask for a security token. Type in this security token, and your current shell will have a valid MFA-authenticated AWS session.
The script supports additional modes of operation.
source aws-session mfa [DEVICE-ARN]Without DEVICE-ARN, this has the same effect as running the script withou arguments. The script will pick the first MFA device on the user's account and ask for an MFA token code, then create a session using these credentials.
If there are several MFA devices, a device ARN can be given to select a specific device.
source aws-session pose [ACCOUNT-ID] [ROLE]Use the assume-role API to impersonate a role on another account the current session/user has access to.
The ACCOUNT-ID and ROLE parameters are optional. When no account ID is given, a list of organization accounts will be shown to choose from.
If the role is ommitted, the OrganizationAccountAccessRole role on the target account will be used by default. This role is automatically created in accounts generated by the organizations API.
aws-session is Copyright © 2020-2023 SWISS TXT AG and may be used under the terms of the Simplified BSD License. See the LICENSE file for details.